The IPv6 (in)security

Transcription

1 The IPv6 (in)security Łukasz Bromirski Confidence , Prague, XI

2 Disclaimer The IPv6 should be treated as another protocol there s no inherent security problem in the idea itself, but as usual, many mechanism need to be mastered to be applied securely We will migrate to IPv6 at some point in time, so you ll either spend time now to learn and apply the knowledge in practice, or be forced to learn it very fast later on with obvious drawbacks You re running IPv6 anyway propably today, even if you don t know it 2

3 Agenda The security problems in IPv4 solved in IPv6 Attack environment for IPv6 Protecting the network Management plane Control plane Data plane Other issues and areas of concern Real life implementation info Q&A 3

4 Security problems of IPv4 solved in IPv6 4

5 None All layers above IPv4 are equally insecure as the ones over the IPv6 IPv6 makes some things better, other things worse and some things differently than in IPv4 IPv6 is more complex than IPv4 complexity brings problems in security All vendors leading IPv6 efforts have already published bugs, and they ll publish more Cisco, Juniper, Microsoft, Sun/Oracle and a lot of Open Source software 5

6 IPv6 attack environment 6

7 Nothing changed fundamentally Sniffing IPv6 mandates IPsec capabilities, do you use it end-to-end after finally getting connected? Application-level attacks Even if IPsec is turned on most of the attacks happen in this layer anyway, so did you install a Service Pack today? Rogue devices & MITM attacks Still can and will be executed 7

8 Reconnaissance In IPv6 Subnet Size Difference Default subnets in IPv6 have 2 64 addresses 14.8 Mpps (roughly a 10GE interface) = ~ years This makes scanning blindly inefficient There are interesting studies for real world assignment behaviors for IPv6 addressing* Billion = 52 Trillion Trillion IPv6 addresses per person World s population is approximately 6.5 billion * Malone, D Observations of IPv6 Addresses. Passive and Active Measurement Conference (PAM 2008, LNCS 4979), April

9 Reconnaissance In IPv6 Scanning Methods Are Likely to Change Public servers will still need to be DNS reachable More information collected by Google... Increased deployment/reliance on dynamic DNS More information will be in DNS Using peer-to-peer clients gives IPv6 addresses of peers Administrators may adopt easy-to-remember addresses (::10,::20,::F00D, ::DEAD, ::C5C0 or simply IPv4 last octet for dual stack) By compromising hosts in a network, an attacker can learn new addresses to scan Transition techniques derive IPv6 address from IPv4 address 9

10 Scanning Made Bad for CPU Potential router CPU attacks if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Built-in rate-limiters, or just pushing a separate FPGA to do the job is not an solution, it s just a way to address the problem, not solve the root cause Using a /64 on point-to-point links => a lot of addresses to scan! Using infrastructure ACL prevents this scanning iacl: edge ACL denying packets addressed to your routers Easy with IPv6 because new addressing scheme can be done 10

11 Reconnaissance In IPv6? Easy With Multicast! No need for reconnaissance anymore 3 site-local multicast addresses FF05::2 all-routers, FF05::FB mdnsv6, FF05::1:3 all DHCP servers Several link-local multicast addresses FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP,... Some deprecated (RFC 3879) site-local addresses but still used FEC0:0:0:FFFF::1 DNS server Source Destination Payload Attacker FF05::1:3 DHCP Attack 2001:db8:2:: :db8:1:: :db8:3::

12 Reconnaissance In IPv6? Defense at the edge of own network Organization B Organization A ipv6 access-list NO_RECONNAISSANCE deny any fec0::/10 permit any ff02::/16 permit any ff0e::/16 deny any ff00::/8 permit any any The site-local/anycast addresses must be filtered at the border in order to make them unreachable from the outside ACL block ingress/egress traffic to Block FEC0::/10 (deprecated site-local addresses) Permit mcast to FF02::/16 (link-local scope) Permit mcast to FF0E::/16 (global scope) Block all mcast 12

13 Protecting the management plane 13

14 Management plane Management, provisioning, monitoring with protocols like SSH, FTP, SNMP, Syslog, TACACS+ i RADIUS, DNS, NetFlow, ROMMON, CDP, LLDP, others Peer B Internet Network Ops Center (NOC) Peer A CE CE PE PoP P In-Band Mgmt IP/MPLS Core AS 123 Out-of- Band Mgmt P PoP PE CE CE CE CE CE PE P P PE CE 14

15 Control plane All the protocols that are making the network to work forward packets, establish adjacencies with new routers, etc. protocols like BGP, OSPF, LDP, IS-IS, ARP, Layer 2 keepalives, ATM OAM, PPP LCP, others Peer B Internet Peer A CE CE CE CE PE LDP ISIS PE PoP ibgp LDP ISIS ibgp LDP ISIS P ibgp LDP ISIS IP/MPLS Core AS 123 ibgp LDP ISIS ibgp LDP P ISIS P P ibgp LDP ISIS ibgp PoP LDP ISIS ibgp LDP ISIS PE LDP ISIS PE CE CE CE CE 15

16 Data plane Traffic going from and to customers it s the traffic SP shouldn t touch, but contains all of the protocols customers can use Peer B Internet Peer A CE CE PE PoP P IP/MPLS Core AS 123 P PoP PE CE CE CE CE CE PE P P PE CE 16

17 Management over IPv6 SSH, syslog, SNMP, NetFlow all work over IPv6 Dual-stack management plane More resilient: works even if one IP version is down More exposed: can be attacked over IPv4 and IPv6 Currently under development: RADIUS But, IPv6 RADIUS attributes can be transported over IPv4 As usual, infrastructure ACL is your friend 17

18 Protecting the control plane 18

19 Preventing IPv6 Routing Attacks Protocol Authentication BGP, ISIS, EIGRP no change: An MD5 authentication of the routing update OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPSec RIPng and PIM also rely on IPSec IPv6 routing attack best practices Use traditional authentication mechanisms on BGP and IS-IS Use IPSec to secure protocols such as OSPFv3 and RIPng 19

20 Link-Local vs. Global Addresses Link-Local addresses, fe80::/16, (LLA) are isolated Cannot reach outside of the link Cannot be reached from outside of the link Could be used on the infrastructure interfaces Routing protocols (including BGP) work with LLA Benefit: no remote attack against your infrastructure Implicit infrastructure ACL Note: need to provision loopback for ICMP generation (notably traceroute and PMTUD) LLA can be configured statically (not the EUI-64 default) to avoid changing neighbor statements when changing MAC interface FastEthernet 0/0 ipv6 address fe80::1/16 link-local 20

21 ARP Spoofing is now NDP Spoofing: Threats ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones Stateless Address Autoconfiguration rogue RA (malicious or not) All nodes badly configured DoS Traffic interception (Man In the Middle Attack) Attack tools exist (from THC The Hacker Choice) Parasit6 Fakerouter

22 ARP Spoofing is now NDP Spoofing: Mitigation BAD NEWS: nothing like dynamic ARP inspection for IPv6 Platforms dealing with the traffic in hardware will need to be upgraded meaning either forklift upgrade (whole chassis/rp/lc) or just a firmware update on the FPGAs GOOD NEWS: Secure Neighbor Discovery (RFC 3971) SEND = NDP + crypto Present in Cisco IOS and an open source implementations But not in Windows Vista, 2008, 7... (incompatible with SLAAC privacy extensions enabled by default) Crypto means slower while it may not hit your workstation it will hit many small computers (the case as it was with vendors not implementing WEP and then WPA because it slows down the network ) and needs PKI infrastructure Other GOOD NEWS: Private VLAN works with IPv6 Port security works with IPv6 801.x works with IPv6 Port ACL on IPv6 capable switches For FTTH & other broadband access, DHCP-PD means not need to layer-2 communication between CPE 22

23 Secure Neighbor Discovery (SEND) RFC 3971 Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated RSA signature option Protect all messages relating to neighbor and router discovery Timestamp and nonce options Prevent replay attacks Certification paths for authorized Routers Anchored on trusted parties, expected to certify the authority of the routers on some prefixes 23

24 Protecting the data plane 24

25 DoS Example Ping-Pong over Physical Point-to-Point Same as in IPv4, on real P2P, if not for me send it on the other side... Could produce looping traffic Platforms implementing RFC 4443 (ICMPv6) correctly are not affected here Use /127 on P2P link (see also RFC 3627 and use infrastructure ACL or only link-local addresses R1 2) To 2001:db8::3 3) To 2001:db8::3 R2 Serial 0/0 2001:db8::1/64 Serial 0/0 2001:db8::2/64 4) To 2001:db8::3... 5) To 2001:db8::3 25

26 IPv6 Bogon Filtering and Anti-Spoofing IPv6 nowadays has its bogons: Similar situation as IPv4 => Same technique for single-homed edge= urpf IPv6 Intranet Inter-Networking Device with urpf Enabled X IPv6 Intranet/Internet IPv6 Unallocated Source Address No Route to SrcAddr => Drop 26

27 IPv6 Privacy Extensions (RFC 3041) /23 /32 /48 / Interface ID Temporary addresses for IPv6 host client application, e.g. web browser Inhibit device/user tracking Random 64 bit interface ID, then run Duplicate Address Detection before using it Rate of change based on local policy Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back) 27

28 IPv6 Header Manipulation Unlimited size of header chain (spec-wise) can make filtering difficult Potential DoS with poor IPv6 stack implementations More boundary conditions to exploit Can I overrun buffers with a lot of extension headers? Perfectly Valid IPv6 Packet According to the Sniffer Header Should Only Appear Once Destination Header Which Should Occur at Most Twice Destination Options Header Should Be the Last See also: 28

29 Parsing the Extension Header Chain Finding the layer 4 information is not trivial in IPv6 Skip all known extension header Until either known layer 4 header found => SUCCESS Or unknown extension header/layer 4 header found... => FAILURE IPv6 hdr HopByHop Routing AH TCP data IPv6 hdr HopByHop Routing AH Unknown L4??? IPv6 hdr HopByHop Unk. ExtHdr AH TCP data 29

30 Fragment Header: IPv6 Next Header = 44 Fragment Header IPv6 Basic Header Fragment Header Next Header Fragment Header Reserved Fragment Offset Identification Fragment Data In IPv6 fragmentation is done only by the end system Tunnel end-points are end systems => Fragmentation / re-assembly can happy inside the network Reassembly done by end system like in IPv4 Attackers can still fragment in intermediate system on purpose a great obfuscation tool 30

31 Parsing the Extension Header Chain Fragmentation Matters! Extension headers chain can be so large than it is fragmented! Finding the layer 4 information is not trivial in IPv6 Skip all known extension header Until either known layer 4 header found => SUCCESS Or unknown extension header/layer 4 header found... => FAILURE Or end of extension header => FAILURE IPv6 hdr HopByHop Routing Destination Destination Fragment1 IPv6 hdr HopByHop Fragment2 TCP Data Layer 4 header is in 2 nd fragment 31

32 Type 0 Routing Header One issue: Amplification Attack Beside the well-known dumb firewall by-pass... What if attacker sends a packet with RH containing A -> B -> A -> B -> A -> B -> A -> B -> A... Packet will loop multiple time on the link R1-R2 An amplification attack! A B * As of RFC 5095 (Dec 2007) RH0 is deprecated 32

33 IPsec End-to-End will Save the World? IPv6 mandates the implementation of IPsec IPv6 does not require the use of IPsec Some organizations believe that IPsec should be used to secure all flows... Interesting scalability issue (n 2 issue with IPsec) Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall Network telemetry is blinded: NetFlow of little use Network services hindered: what about QoS? Recommendation: do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets. 33

34 IPv6 Other issues and areas of concern 34

35 IPv6 tools ready to be used Let the Games Begin Sniffers/packet capture Snort TCPdump Sun Solaris snoop COLD Wireshark Analyzer Windump WinPcap Scanners IPv6 security scanner Halfscan6 Nmap Strobe Netcat DoS Tools 6tunneldos 4to6ddos Imps6-tools Packet forgers Scapy6 SendIP Packit Spak6 35

36 Tools of trade THC IPv6 Attack Toolkit parasite6, alive6, fake_router6, redir6, toobig6, detect-new-ip6, dos-new-ip6, fake_mld6, fake_mipv6, fake_advertiser6, smurf6, rsmurf6 Scanners nmap, halfscan6 Packet forgery Scapy6, SendIP, Packit, Spak6 DoS Tools 6tunneldos, 4to6ddos, Imps6-tools 36

37 IPv4 to IPv6 Transition Challenges 16+ methods, possibly in combination Dual stack Consider security for both protocols Cross v4/v6 abuse Resiliency (shared resources) Tunnels Bypass firewalls (protocol 41 or UDP) Can cause asymmetric traffic (hence breaking stateful firewalls) 37

38 Dual Stack Host Considerations Host security on a dual-stack device Applications can be subject to attack on both IPv6 and IPv4 Fate sharing: as secure as the least secure stack... Host security controls should block and inspect traffic from both IP versions Host intrusion prevention, personal firewalls, VPN clients, etc. IPv4 IPsecVPN with No Split Tunneling Dual Stack Client IPv6 HDR IPv6 Exploit Does the IPsec Client Stop an Inbound IPv6 Exploit? 38

39 Dual Stack With Enabled IPv6 by Default Your host: IPv4 is protected by your favorite personal firewall... IPv6 is enabled by default (Vista, Linux, Mac OS/X,...) Your network: Does not run IPv6 Your assumption: I m safe Reality You are not safe Attacker sends Router Advertisements Your host configures silently to IPv6 You are now under IPv6 attack Probably time to think about IPv6 in your network 39

40 Enabling IPv6 on a Remote Host (in this Case Mac OS/X) 1) Dual-Stack 2) Hacker: I m the Router MacOS: any IPv6 Router? 4) The Full IPv6 Address of the MacOS 3) Newly Enabled IPv6 MacOS does DAD 40

41 Transition Threats ISATAP Unauthorized tunnels firewall bypass (protocol 41) IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in the enterprise This has implications on network segmentation and network discovery No authentication in ISATAP rogue routers are possible Windows default to isatap.example.com Ipv6 addresses can be guessed based on IPv4 prefix ISATAP Router Any Host Can Talk to the Router ISATAP Tunnels IPv4 Network ~ Layer 2 for IPv6 Service Direct Communication 41

42 6to4 Relay Security Issues Traffic injection & IPv6 spoofing Prevent spoofing by applying urpf check Drops 6to4 packets whose addresses are built on IPv4 bogons Loopback RFC 1918 Redirection and DoS Block most of the ICMPv6 traffic: No Neighbor Discovery No link-local traffic No redirect Traffic is asymmetric 6to4 client/router -> 6to4 relay -> IPv6 server: client IPv4 routing selects the relay IPv6 server -> 6to4 relay -> 6to4 client/router: server IPv6 routing selects the relay Cannot insert a stateful device (firewall,...) on any path 42

43 TEREDO? Teredo navalis A shipworm drilling holes in boat hulls Teredo Microsoftis IPv6 in IPv4 punching holes in NAT devices Source: United States Geological Survey 43

44 Teredo Tunnels (1/3) Without Teredo: Controls Are In Place All outbound traffic inspected: e.g., P2P is blocked All inbound traffic blocked by firewall IPv6 Internet IPv4 Firewall IPv4 Internet Teredo Relay IPv4 Intranet 44

45 Teredo Tunnels (2/3) No More Outbound Control Teredo threats IPv6 Over UDP (port 3544) Internal users wants to get P2P over IPv6 Configure the Teredo tunnel (already enabled by default!) FW just sees IPv4 UDP traffic (may be on port 53) No more outbound control by FW IPv6 Internet IPv4 Firewall IPv4 Internet Teredo Relay IPv4 Intranet 45

46 Teredo Tunnels (3/3) No More Outbound Control Once Teredo Configured Inbound connections are allowed IPv4 firewall unable to control IPv6 attack can reach the target directly Host security needs IPv6 support now IPv6 Internet IPv4 Firewall IPv4 Internet Teredo Relay IPv4 Intranet 46

47 µtorrrent 1.8 (Released Aug. 08) 47

48 Looping Attack Between 6to4 and ISATAP 1. Spoofed packet S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 6to4 relay IPv4 Packet containing S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 ISATAP router Prefix 2001:db8::/ Root cause Same IPv4 encapsulation (protocol 41) Different ways to embed IPv4 address in the IPv6 address ISATAP router: accepts 6to4 IPv4 packets Can forward the inside IPv6 packet back to 6to4 relay Symmetric looping attack exists 3. IPv6 packet S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 Repeat until Hop Limit == 0 Mitigation: Easy on ISATAP routers: deny packets whose IPv6 is its 6to4 Less easy on 6to4 relay: block all ISATAP-like local address? Good news: not so many open ISATAP routers on the Internet 48

49 6to4/6rd Tunnels Bypass Centralized ACL 6to4/6rd relay IPv6 Internet ACL tunnel IPv4 6to4/6rd router Direct tunneled traffic ignores hub ACL 6to4/6rd router 6rd CPE router can be configured to always go through hub Direct CPE-CPE communication must then be forbidden by IPv4 network 49

50 Notes from a real world 50

51 Summary 51

52 IPv6 (in)security Any network is as secure as You can make it Do not blindly copy IPv4 templates to IPv6 ones use caution and knowledge...most of the work is already done, but needs rethinking when applied to a new protocol Do not fight with IPv6 try to embrace it s capabilities NAT no longer needed, one less step to correlate events/configure the user account Stateless or stateful autoconfiguration, mobility 52

53 IPv6 (in)security If you don t have IPv6-enabled ISP, go to HE or SixxS and get an IPv6 tunnel to start practicing

54 Any questions? 54

55 Thanks! IPv6 (in)security Łukasz Bromirski 55

56 56